The Moment I Stopped Confusing Security with Imprisonment
It was actually years ago when I recognized that what I’d manufactured for my safety was actually sucking the life out of me, but a LinkedIn post that I read recently, reminded me of that moment of freedom.
Before I break down and address the high-level points in this post, let me say a little somethin’.
First, security will never genuinely happen for a business, a person, a federal organization, a state, a region, or a country until we recognize and act on the fact that we have the freedom to be secure. Security is rooted in freedom — the freedom to choose how we protect ourselves, our assets, and our information.
Anything imposed on us in the physical or digital world— and that we do out of fear of punishment or anticipation of reward — does not equate to security.
But it DOES equate to imprisonment.
Compliance = imprisonment is the more accurate equation.
BUT, let’s be honest. We also have the freedom to be imprisoned.
And we use that freedom often.
Sometimes, we (people and organizations) choose imprisonment over security. Why? Because making decisions for ourselves, taking ownership, and being accountable can be uncomfortable and frightening.
Accountability requires work, responsibility, and yes, sometimes making mistakes. Many of us fear being blamed for something going wrong. We fear feeling incompetent, we fear repercussions of the deciding or cutting off of things to make trades offs for security.
So, instead of taking ownership and choosing to be secure, we fall back on compliance. Compliance is imprisonment, but it’s the kind of imprisonment that some may choose to avoid ownership and control.
But we must be clear: compliance equals imprisonment, while the freedom to decide equals security. When security is confused with imprisonment, we ignore and push aside our ability to be truly safe. To be imprisoned is to be controlled, to have decisions made for you.
Security, on the other hand, requires freedom, choice, and the ability to control your own feeling and state of security.
Now that I’ve established this foundation, walk with me as I address the claims about compliance-driven security listed in this post — claims that confuse imprisonment with security.
Here are the points made in the LinkedIn post and often made by compliance advocates (not just the writer of this post), and my responses to why compliance does not, and cannot, equal security.”
Claim 1. “Compliance moves the needle on security.”
If compliance moves the needle on security, it’s in the same way that taking cough medicine moves the needle on emphysema or Pepto-Bismol moves the needle on my stress levels.
It’s a superficial fix that might ease symptoms for a moment, but it doesn’t address the underlying issue. Compliance may give the appearance of progress, but it’s progress in terms of “the operation was a success, but the patient died”, which was an article I wrote some years ago. What it’s actually doing is obscuring the deeper problems that created the move towards compliance in the first place.
Claim 2. “Organizations won’t invest beyond compliance.”
This is simply not true. Organizations that understand the power they yield when they take ownership of their cybersecurity space absolutely do invest beyond compliance. And not only beyond compliance, but BEFORE compliance.
I have no idea what the Virginia State law requires when it comes to caring for my children. I don’t know the minimum level of care required before I get thrown in jail or my kids get taken away. My love and care for my children compels me to do what my heart says to do and they are happy, healthy and thriving…without me knowing anything about what’s “required”.
In the exact same way, many businesses care for what they have created as if it’s their own offspring, this emotional connection compels them to own and nurture the accountability and control they have to protect and secure it.
Being in control of their cybersecurity posture isn’t just about following rules, it’s about reaching a state of health — much like maintaining mental, physical, and psychological health. In both health and security, reaching that optimal state brings enormous value: pride, fulfillment, improved relationships, stronger partnerships, better collaboration, peace , and yes, profitability.
Claim 3. “Security is viewed as a cost center.”
Now, this, I agree with.
The reason security is often viewed as a cost center is because compliance implies no ownership. Compliance suggests that security is not mine to control or influence; it belongs to someone else, and I’m just forced to act on it.
When you feel no ownership over something, you’re not motivated to invest in it. Why would you invest time, attention, or money in something that doesn’t belong to you?
Without ownership, there’s no accountability, and without accountability, I can’t decide or change anything. I can only control and change what I’m accountable for.
Compliance only exacerbates the perception of no control (which is not true) because it reinforces the idea that security is someone else’s domain to control and manipulate.
Claim 4. “Developers (and even cybersecurity professionals) view security as a chore.”
I’m with you on this one too!!
And it’s not just developers who view security as a chore — many cybersecurity professionals do too, and again, it comes back to ownership. If security isn’t something you feel responsible for — if it doesn’t belong to you — then why care?
Compliance tells people, ‘You have to do this,’ but that obligation comes with no deeper investment in the outcome. It becomes a box to check.
You’re only doing the task so you can get paid or avoid a penalty, not because you feel like you have any stake in the actual security of the organization.
When people don’t feel like they own something, they won’t care enough to do more than the bare minimum.
Think about where YOU just give it your some.
Claim 5. “Compliance-driven security spending is the overwhelming driver of security investments.”
Compliance-driven security spending is a mistake. It’s like buying something because of clever marketing or peer pressure — you’re not acting out of genuine need or understanding, but because you feel pressured to do so.
Just as marketing can trigger emotions to drive purchases, fear of penalties or desire for rewards drives compliance spending.
But if we want real security, we must abandon compliance; we need that spark of recognition, the thing that will ignite our intrinsic drive to care for the people, causes, and creations that truly matter to us — the things that help define who we are.
We need people and organizations to take ownership of security the same way they would take ownership of their health or their home. If you understand the value of what you’re protecting, you don’t need to be forced to secure it — you’ll do it because it’s yours, and you recognize the benefits of being safe, resilient, and prepared.